Next Generation Privileged Identity Management: What Will It Take?

Image: sacks08/Flickr

The hybrid cloud represents a new generation of computing. Inevitably, advancements in infrastructure bring new requirements for management solutions. There are five core capabilities essential to achieving Next Generation Privileged Identity Management.

Establish a Single Point of Control

One of the primary attractions of the hybrid cloud is flexibility. IT managers can select the platform delivering the optimal combination of cost, speed and control and then rapidly deploy applications and systems. But flexibility can work against the goal of consistent controls since there are now multiple points where policy can be defined. Inconsistent policies lead to uneven protection across platforms, and greater chances for compliance or audit failures. Not to mention the administrative overhead of maintaining controls across all those environments.

An essential requirement for establishing a single point of control is the ability to protect all technology platforms, across the entire hybrid cloud. A solution that doesn’t protect all platforms—or, which requires different modules and repeated definitions of policies for different platforms—leads to the gaps in coverage, risks and administrative overhead we’ve mentioned. An ideal next generation solution allows an organization to define privileged identity management policies based on varied criteria (such as user roles or infrastructure type), and then enforce those policies across the organization’s entire computing fabric from traditional on-premise network equipment and servers to virtual and public cloud based infrastructure.

Another important requirement is the ability to deliver a comprehensive set of controls—including managing credentials, authentication, access control and user monitoring and logging. In many organizations, point products are employed to address these individual functions. That’s resulted in patchwork protection—and gaps in coverage and extra costs.

Run Anywhere/Manage Anywhere

The flexibility of the hybrid cloud leads to the need for flexibility in where a privileged identity management solution can be installed, and the architectural choices a product enables. Administratively and operationally, it’s important a next generation solution support native installations across the cloud. That’s not the same as installing software on a virtual server, which leaves a great deal of work and administrative overhead. Native installations—traditional rack-mounted hardware or virtual appliances (OVF- or AMI-compliant)—make installations faster, with fewer opportunities for failure. It also puts the onus on the vendor to update, support and manage the full software stack rather than relying on the security team for expertise in configuring and maintaining operating systems, middleware and the application.

Architecturally, it’s critical a next generation solution be able to manage resources across the cloud—regardless of where the system itself is physically located. Resources to be protected exist everywhere. If a management system must be installed in a specific environment—or worse, in multiple environments—then flexibility is unacceptably constrained.

Keep Pace With Dynamic, Highly-Scalable Hybrid Cloud Environments

A key advantage of virtualized environments and public cloud computing is the ability to rapidly respond to changing demands—scaling deployments up and down in response to business conditions, or transferring workloads to satisfy operational needs. A next generation privileged identity management product must be able to keep pace with these changes in order to avoid becoming a drag on operations and the business.

To do so, next generation Privileged Identity Management (PIM) solutions must support automated discovery of resources and automatic policy provisioning. It’s not enough for a solution to discover new devices that need to be secured. It must automatically apply policies for at least a baseline level of protection. Otherwise, organizations face increased administrative costs, reduced responsiveness, and increased risk.

It’s also important to avoid solutions requiring agents on target systems to enable basic functionality. Installing and managing yet another agent quickly adds to the operational burden. The time lag between when a resource is deployed and when it is protected is time the system is open to abuse or exploit. Managers should consider a new metric—mean time to protection, or MTTP. A next generation PIM is specifically designed to reduce MTTP even in highly dynamic environments.

Reliability is also important. The hybrid cloud is routinely used for mission critical workloads. Next generation solutions must provide scalability and availability capabilities such as clustering and failover. Ideally, these will be built-in since their absence will require organizations to invest additional money and resources to implement third-party solutions, adding costs, complexity and delays.

Enable Identity as the Perimeter

Traditional approaches to privileged identity management rely on perimeter-based security controls. By controlling access to systems, a basic level of privileged user control could be exerted. Arguably, this approach didn’t work well since it fundamentally equates authentication and access to authorization. But it comes up completely short in cloud environments, where perimeters are ill defined. In recognition of these shifts, identity is emerging as the de facto new perimeter. Basing access to resources on an individual’s identity allows granular access control, flexibility, audit-ability and ease-of-use.

But identity introduces its own challenges—primarily the number of identities an individual possesses. Identity is defined in multiple locations—frequently in enterprise directories, but in other systems as well such as Amazon’s Identity and Access Management (IAM) subsystem. First generation PIM solutions can make this situation worse by adding yet another “island” of identity. A superior approach is to integrate with and bridge or federate identity across existing identity stores.

When considering identity, it’s important to include strong authentication technologies like smartcards and security tokens supporting multi-factor and composite authentication. The US Federal government, for example, has mandated the use of PIV/CAC smartcards for authentication.

Protect the Extended Management Plane

The hybrid cloud strains first generation PIM solutions to the breaking point. Consider the management consoles used to control the AWS and vSphere environments. By themselves, they introduce significant new attack surfaces to protect. Given the power these systems deliver to trusted users, they also increase risk by raising the potential impact of a breach or policy violation. Next generation PIM solutions must offer tight integration with these consoles, in order to deliver an adequate level of control and appropriate separation of duties.

That task is complicated since these consoles expose much of their functionality via APIs. In some organizations, most administration and management tasks are performed via scripts calling on these APIs. Application to application (A2A) privileged user controls have always been important, and these APIs have emerged as another critical resource to protect.

Bottom Line – The Need for a Next Generation PIM

The hybrid cloud is a new environment. It brings new benefits of speed and flexibility. These characteristics place demands on privileged identity management. By ensuring their PIM solutions address these five core Next Generation requirements, managers can be assured their Privileged Identity Management solution will be able to keep pace and provide protection across this dynamic new environment.